14 DAY TRIAL // Microsoft has provided a closer look at the security servicing criteria that the company is using to decide whether a certain bug in its products are getting fixes or not and how fast this happens after a report is submitted.
The software giant says that there are two questions asked whenever vulnerabilities are reported. “Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending? Does the severity of the vulnerability meet the bar for servicing?”
Based on these two questions, the company’s security researchers can decide on what to do next and if a fix is being developed and pushed to systems as soon as possible or simply considered for the next release cycle, typically Patch Tuesday.
“If the answer to both questions is yes, then the vulnerability will be addressed through a security update that applies to all affected and supported offerings. If the answer to either question is no, then by default the vulnerability will be considered for the next version or release of an offering but will not be addressed through a security update, though in some cases an exception may be made,” Microsoft says.
Severity ratings
The company then goes on to discuss security reports that qualify for bounties, as Microsoft has launched several programs that allow researchers to submit flaws in its products in exchange for financial rewards.
The Redmond-baed software giant also details vulnerability severity ratings, pointing out that the only critical flaws are those allowing for Remote Code Execution.
Elevation of Privilege, Information Disclosure, Remote Code Execution, Denial of Service and Security Feature Bypass can be flagged as important flaws, while the moderate rating is offered to Denial of Service bugs that allow an attack to disrupt the system and interrupt or halt normal operations.
Microsoft says that these rules are still under consideration and is willing to tweak them further depending on feedback, and security researchers are asked to submit their thoughts to [email protected].